You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
Memory forensics is the analysis of a computer's volatile memory (RAM) to extract evidence that exists only while a system is running. Unlike disk forensics, memory forensics captures data that is lost when a system is powered off — including running processes, network connections, encryption keys, and injected malware code.
Volatile memory contains evidence that may never be written to disk:
| Evidence Type | Example |
|---|---|
| Running processes | A malicious process that has no file on disk (fileless malware) |
| Network connections | Active connections to command-and-control (C2) servers |
| Encryption keys | AES keys, BitLocker recovery keys, TrueCrypt/VeraCrypt keys loaded in memory |
| User credentials | Plaintext passwords, NTLM hashes, Kerberos tickets |
| Clipboard data | Recently copied text or images |
| Command history | Commands executed in terminal or PowerShell sessions |
| Injected code | Malware injected into legitimate processes via DLL injection or process hollowing |
| Chat messages | Decrypted messages from encrypted messaging applications |
| Registry hives | In-memory registry data that may differ from on-disk hives |
Tip: Memory forensics is essential for detecting fileless malware, which operates entirely in RAM and leaves minimal traces on disk.
| Tool | Platform | Method |
|---|---|---|
| WinPmem | Windows | Kernel driver; produces raw memory dumps |
| LiME (Linux Memory Extractor) | Linux | Loadable kernel module (LKM); outputs raw or lime format |
| DumpIt | Windows | Portable executable; one-click memory acquisition |
| Belkasoft RAM Capturer | Windows | Free tool; minimal footprint |
| AVML | Linux | Microsoft's memory acquisition tool; does not require kernel headers |
| osxpmem | macOS | Memory acquisition for macOS systems |
# Windows: DumpIt (run from USB)
DumpIt.exe
# Linux: LiME
sudo insmod lime-$(uname -r).ko "path=/evidence/memory.lime format=lime"
# Linux: AVML
sudo avml /evidence/memory.raw
| Format | Description |
|---|---|
| Raw | Flat binary file; exact copy of physical memory |
| LiME | Linux Memory Extractor format; includes metadata headers for each memory range |
| ELF core dump | Executable and Linkable Format; includes process memory segments |
| Crash dump | Windows crash dump format (.dmp); can be full or kernel-only |
| Hibernation file | hiberfil.sys (Windows); contains compressed memory contents from hibernation |
Note: Windows hibernation files (hiberfil.sys) and crash dumps can be converted to raw memory images for analysis, providing memory forensic opportunities even without a live acquisition.
Volatility is the leading open-source memory forensics framework:
| Plugin | Purpose |
|---|---|
| windows.pslist | List running processes |
| windows.psscan | Scan for hidden or terminated processes |
| windows.netscan | List network connections and listening ports |
| windows.dlllist | List DLLs loaded by a process |
| windows.malfind | Detect injected code in process memory |
| windows.handles | List open handles (files, registry keys, mutexes) |
| windows.filescan | Scan for file objects in memory |
| windows.hashdump | Extract password hashes from the SAM |
| windows.cmdline | Display command-line arguments for each process |
| windows.envars | List environment variables for processes |
| linux.pslist | List running Linux processes |
| linux.bash | Extract bash command history from memory |
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.